|
It was recommended by MS (I believe, I'll double check though) to not setup DNS roundrobin anymore on 2012 and beyond, I could have misread I'll go back and look through.
|
# ¿ Aug 26, 2016 19:34 |
|
|
# ¿ May 14, 2024 18:05 |
|
NevergirlsOFFICIAL posted:What's a good step-by-step guide that can explain to me how to set up 2FA in my Windows environment? I have googled, read some old blog posts, and still don't feel like I have a good understanding. We just rolled AuthAnvil 2FA for RDS, it was only a minor pain in my rear end, but we've only been fully turned on for a week or two, so I'm not sure if things are going to explode after a month or two. Unsure about sharepoint capability, but it's very affordable; will require at least 1 VM dedicated, possibly 2 I forget, but you'd want 2 anyway for redundancy, does hook into AD easily as well. We previously used safeword, I loved safeword, I'm not sure how well it hooks into sharepoint though, or if they're still around, once we switched from 2003 to 2012 we decided to change to authanvil. Unsure about sharepoint capability, hooks into AD easily, does require 2 VMs minimum for redundancy, and I'm not sure regarding pricing. RSA is also good, my client uses it for VPN, it's loving expensive as hell though. All of these SHOULD have plenty of documentation to get you well on your way to getting stuff working. MF_James fucked around with this message at 18:02 on Sep 14, 2016 |
# ¿ Sep 14, 2016 17:48 |
|
peak debt posted:Does anyone know how to programmatically change a file type association in Windows 10? Look for default associations.xml, you can't manually modify a bunch of stuff in the registry anymore, the registry is hashed and it will revert the next time it loads. https://www.loginvsi.com/blog/login-vsi/518-fixing-default-file-type-associations-in-windows-10 This worked in server 2012/windows 8, and i believe still works in windows 10
|
# ¿ Sep 19, 2016 15:52 |
|
quote:We recently took on a new client, and I flew out there to re-IP their entire office about a month ago. They have two domain controllers called DC1 and FS2. CLAM DOWN posted:
Clients.txt I'm not saying it's good or OK, but this is what you deal with in an MSP, your clients are cheap as gently caress and everything is awful. I would hope that his company made them aware of this and the risks associated.
|
# ¿ Sep 21, 2016 21:54 |
|
127.0.0.1 and then other DCs.
|
# ¿ Sep 23, 2016 22:08 |
|
Eschatos posted:I'm not seeing a specific GPO/AD thread, so hopefully this is the right place to post this question: Eschatos, if you apply a GP to an OU, it will apply to everything in that OU*. Computer configuration stuff will apply to computers, user config stuff to users. *Unless otherwise specified by filtering of some kind. Feel free to hit me up on IRC, I'm typically in it all day (you know which one!)
|
# ¿ Sep 28, 2016 18:01 |
|
lol internet. posted:Details on this magical IRC channel please. haha just an IRC channel for a game we both play, nothing special.
|
# ¿ Sep 28, 2016 22:12 |
|
Dunno where else to ask, but here goes... Just got "tablets" dumped on my lap. We have about 50-60 windows 8.1 tablets out in the field, previously they were all 'hand' configured. The guy before me created a policy file that he manually imported on all the machines as well as a few other manual steps prior to that. Well, we are getting windows 10 tablets now (even replaced tablets come back with 10 and not 8.1, it's not the same tablet, but I figured we would get what OS we had previously...) and I'd like to make this process not poo poo. Basically I need to do a few things: 1) disable built-in admin/guest accounts 2) create another admin account (named the same across all systems) 3) create a lesser privileged account that will essentially operate in a kiosk type mode 4) lock down said account 5) install our monitoring solution 6) patch machine Steps 1-4 are what i want to stream line, 5 and 6 can be done manually for now. I typically don't handle client type devices, just servers.. a lot of them, but the way we handle spinning up servers will not work for what I'm doing.
|
# ¿ Oct 4, 2016 22:19 |
|
Zaepho posted:What do the desktop guys use for imaging? MDT/WDS or MDT and SCCM would work quite nicely for these. Everything you're talking about can be rolled into a task sequence. Yeahhhhhhhhhhhhhhhhhhhhhhhhhhhh........................ we don't do any desktop stuff except internal poo poo for like 20 users. I figured that was going to be the answer though.
|
# ¿ Oct 4, 2016 22:37 |
|
Yeah they aren't attached to a domain sadly. I'll probably create a new registry file and then script everything else that I can. Updates are handled by our monitoring solution (N-Able), so that's no biggie, I'll just script the import of the policy file, the install of n-able and a few other things so all someone (hopefully) has to do is move a folder onto the device and then run the script inside.
|
# ¿ Oct 5, 2016 00:33 |
|
Could make sure they can see/have permissions on that specific folder in the sysvol. Have you tried unjoining/rejoining and see if that has any effect? Also, those machines aren't being filtered with WMI or security filtering right?
|
# ¿ Oct 12, 2016 02:18 |
|
Wrath of the Bitch King posted:I've gone through most of the common steps, the scope is highly unusual. What if you blow away the machine policy, does it pull it down again?
|
# ¿ Oct 12, 2016 18:17 |
|
Well, he DOES have other (non 2008) systems that pull that same policy just fine, although I've never dealt with corrupted sysvol so I'm not sure of the exact behavior, I would assume NOTHING would be able to read from the folder/subfolders that were affected though.
|
# ¿ Oct 12, 2016 19:34 |
|
I've had that happen, the policy was in the middle of the order and *edit* correction, the policy was corrupted after the last time someone modified it, every policy would process up to that one, then GP crapped out so nothing after processed.
MF_James fucked around with this message at 05:11 on Oct 14, 2016 |
# ¿ Oct 14, 2016 05:09 |
|
Super Slash posted:Is there some kind of information source about best practices for Windows 10 group policies? http://www.grouppolicy.biz/2012/11/how-to-use-group-policy-to-change-the-default-lock-screen-image-in-windows-8/ You can also customize the start-menu, by exporting a startmenu layout from one computer and then applying it via group policy (it's an xml file). I could dig up my information on that if you need. I had to do some work to get win10 tablets locked down, I got about 95% of the way done and the work was scrapped... As far as a single spot to find a ton of info? I couldn't find one, I dug through dozens, maybe even 100+ websites to gather all the stuff I did.
|
# ¿ Nov 17, 2016 21:00 |
|
Eschatos posted:Office 365 admins, I got a question for you. I've recently discovered that several users at my company have email addresses that are completely desynced from Active Directory. Their email has its own separate password, is listed as In cloud, and their AD account shows up separately as an .onmicrosoft.com address instead of our domain. I just had to fix one of those. I setup a user but screwed up because they have a .local domain and i let that sync. I changed it in AD to be @contoso.com instead of @contoso.local Then went to AD and manually editted the user and removed the .onmicrosoft.com and just had their user as @contoso.com, that seems to have fixed it (although this was a whopping 20 minutes ago, but their password to O365 was definitely their AD password because the user was able to log in)
|
# ¿ Jan 4, 2017 23:13 |
|
tadashi posted:I'm looking for a step-by-step on how to migrate the domain time server. While I was migrating my PDC to a new physical server a while back, I made the time server to be a tertiary domain controller (literally a domain controller of last resort that's a virtual machine) and now I cannot for the life of me get our workstations to stop syncing their time to that backup domain controller instead of the PDC. This is an issue because the backup domain controller is on a Hyper-V VM so its time is not reliable (this was only supposed to be this way for a couple days). Ahh this should help you, what version of server are you running? https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
|
# ¿ Jan 9, 2017 18:48 |
|
tadashi posted:Server 2012. That's the other issue is that most guides are written for 2003 so some commands can be a little different. Most things (that I've noticed) have remained the same, you might need to ? and perhaps google slightly more, but the linked article should get you to where you want, I mean basically you want to tell the PDC it's the da boss (and have it get NTP from somewhere?) and then have everything else sync to it.
|
# ¿ Jan 10, 2017 01:37 |
|
GreenNight posted:What do you guys use for enterprise 3rd party patch management? Don't care about the costs, just want it to be easy to use. N-Able is our monitoring solution, it also handles patching and can do other stuff depending on what you pay for. The patching sucks, I wish we just dropped a WSUS server at all our clients
|
# ¿ Jan 16, 2017 21:51 |
|
Gozinbulx posted:Can anyone point me to a good guide/outline of group policy settings I should use to limit and hopefully seriously stymie the proliferation go malware/bloatware poo poo on workstations? What sickening said. I would look up Microsoft's recommended baseline group policy, but Sickening gave you the stuff to get started with. Depending on your size/budget you can use appliances or applications to do email and content filtering. I work with a lot of fortigates/fortinets that act as firewalls and content filters, they seem to do a good job at both, but I'm not a security guy so perhaps there are better ways to go about it, and obviously it depends on your current environment. MF_James fucked around with this message at 22:44 on Jan 23, 2017 |
# ¿ Jan 23, 2017 22:41 |
|
Has anyone really used LAPS yet? (https://technet.microsoft.com/en-us/library/security/3062591.aspx) Our current setup is ERPM and we disable built-in admin/guest, then create a separate admin and utilize ERPM to manage/rotate the password as needed. Moving forward we would disable guest and then let LAPS manage the built-in admin password. This will save our client roughly 200K a year, so it's something that is getting pushed, provided we don't hit showstoppers. For those that have used it, any issues/gotchas/whatevers?
|
# ¿ Jan 26, 2017 20:57 |
|
Perhaps we aren't going back to the built-in admin account. Initially I thought LAPS could ONLY handle the built-in, but perhaps it has changed since I last looked at it (it's been a while). I am not specifically involved in the project, but figured I'd see what others have experienced.
|
# ¿ Jan 26, 2017 21:09 |
|
anthonypants posted:Make a new machine and promote it to a domain controller. Yeah this. Stand up a new DC immediately, let replication happen and then hand all FSMO roles over to it then demote the other one and trash it.
|
# ¿ Feb 16, 2017 18:31 |
|
Ugh I'm saddened I even have to ask this, but I can't find the answer, my google-fu is failing me. Client bought office 365 home premium and wants to install it on a few work machines, is there some sort of limitation on that install so that it won't go onto domain machines?
|
# ¿ Feb 20, 2017 23:49 |
|
anthonypants posted:There is no such limitation. Alright then, we have some other issue, thanks.
|
# ¿ Feb 20, 2017 23:58 |
|
Thanks Ants posted:You're violating the terms of the license by using it commercially, which you probably don't want to assist your client with if you're an MS partner. Not an MS partner, and I'm aware. Already have an email from my boss saved where I brought that up and he said "Just Do It"
|
# ¿ Feb 21, 2017 00:14 |
|
You need to raise a huge stink to whoever manages support (or whoever your boss is) and mention how much time this will take across your whole department versus one guy fixing it.
|
# ¿ Mar 7, 2017 06:54 |
|
I've heard it recommended to just go for the newest exam, otherwise you have to take an upgrade exam anyway to get to 2016 level and stay current.
|
# ¿ Mar 8, 2017 23:23 |
|
Do they not have help files loaded? Cisco makes you "memorize"/type commands etc but help will also be available in the CLi* *Unless there is an issue with the sim OR you're on the wrong path
|
# ¿ Mar 9, 2017 21:28 |
|
Sickening posted:Just curious, but have you ever taken a MS exam before? No, I was assuming they were having you write powershell commands not doing something as dumb as multiple choice "Spot the letter that is swapped around" stupidity, but obviously I am dead wrong. At some point I would like to take MCSE, but cisco comes first.
|
# ¿ Mar 10, 2017 01:08 |
|
lol internet. posted:Anyone know what the minimum amount of servers requires for RDS remote app deployment is? And does it require AD? This would be for one or two users. This seems like a 10lb sledge for a finishing nail. Do you already have RDS farm running and you just need a few people to run remote apps? I mean you CAN do a single server deployment, you just stick all the roles on the single server. This could be a guide (note: I have not read it but it talks about single server RDS deployment): https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/ So, you really need 2 servers anyway though, because, yes, you do need AD and SQL (which CAN be installed on a DC with some fuckery). Really, you should probably not be trying to do this for 2 users. What problem are you trying to solve? MF_James fucked around with this message at 03:25 on Mar 10, 2017 |
# ¿ Mar 10, 2017 03:21 |
|
lol internet. posted:RDS alone doesn't require sql does it? I don't recall using it on a 2012r2 RDS. Correct, my fault, but you will need access to a domain controller. So you're still stuck with devoting 2 machines to this. Well, I'm assuming, since you asked about DCs to begin with...
|
# ¿ Mar 10, 2017 16:03 |
|
.local still works fine, it's just slightly extra work, but nothing horrible, we have 2 clients with .locals. I would NEVER EVER go through renaming their domains at this point.
|
# ¿ Mar 13, 2017 22:08 |
|
CLAM DOWN posted:.local is only excusable if it's a forever private and cut-off network/domain Have you tried to rename a domain before?
|
# ¿ Mar 13, 2017 22:35 |
|
CLAM DOWN posted:Yup, it's a terrible idea, doesn't mean .local is good though! I don't think anyone was advocating creating a domain with .local, but I'm not going to go through the awful that is renaming a domain (especially because MSP land so billable work and all that)
|
# ¿ Mar 13, 2017 23:06 |
|
Thanks Ants posted:If you don't see any reason why legitimate traffic would come into your network from Russia, China etc. then is blocking it all at your firewall an option? We block pretty much all countries outside the US on our inbound firewall rules for most of our customers. It's the easiest route to go, though none of them have legitimate business need for inbound connections from outside the US, so that makes it easy.
|
# ¿ Mar 26, 2017 00:13 |
|
Hopefully someone else has dealt with this. I have an RDS farm, 2 terminal servers that some people log into via thin clients and some people have desktops that they are served remote apps to and we use DNS round robin. Currently I have one of the terminal servers in drain mode and everyone that is on network is getting pushed over to the other terminal server just fine, but I have VPN users that are still hitting the loving drained server so they can't log in. Is this a local DNS cache issue, or is something else going on? The remote users are using links provided to them that connect to the farm name, not directly to a server, but it keeps having them hit the drained server and I can't figure out why.
|
# ¿ Jul 6, 2017 18:49 |
|
BangersInMyKnickers posted:Are you not running a broker server? That's the only way I know for it to properly coordinate sessions and forward them off a drained server reliably. yeah we have a 3rd server handling broker services and licensing.
|
# ¿ Jul 6, 2017 19:06 |
|
I'm assuming DNS as everything works fine when not drained and they hit both hosts without issue. Thanks I'll bark up that tree once I can get in touch with one of these guys.
|
# ¿ Jul 6, 2017 20:23 |
|
|
# ¿ May 14, 2024 18:05 |
|
Wrath of the Bitch King posted:I'm still at a loss of where to start, exactly. It all seems a little overwhelming. I am in the same boat, my assumption is start by learning a language (I'm rolling python since it's popular and somewhat easy, especially if you've coded/scripted before) so you at least have a grasp on it, then jump into doing stuff on AWS/wherever. It was Methanar that posted a good write-up in the Working in IT thread, I don't have it up since I'm at work, but I've got the post saved at home if you can't find it, it's likely within his last 10-15 posts in that thread. Because I'm retarded and forget how to link to specific posts: https://forums.somethingawful.com/showthread.php?threadid=3653857&userid=204963&perpage=40&pagenumber=13 content of said post from Methanar posted:What do you want to do? MF_James fucked around with this message at 16:57 on Oct 31, 2017 |
# ¿ Oct 31, 2017 16:51 |